CLOUDSTACK-5920: Add some interface methods and constants required by IAM.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/793becf5 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/793becf5 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/793becf5 Branch: refs/heads/master Commit: 793becf524520c62fd5df35b22128db13347f6c9 Parents: d0ae4d9 Author: Min Chen <min.c...@citrix.com> Authored: Tue Mar 4 17:34:50 2014 -0800 Committer: Min Chen <min.c...@citrix.com> Committed: Wed Mar 5 09:40:55 2014 -0800 ---------------------------------------------------------------------- api/src/com/cloud/event/EventTypes.java | 13 ++++ .../apache/cloudstack/acl/PermissionScope.java | 25 +++++++ .../apache/cloudstack/acl/QuerySelector.java | 72 ++++++++++++++++++++ .../apache/cloudstack/acl/SecurityChecker.java | 22 +++++- .../org/apache/cloudstack/api/APICommand.java | 3 + .../cloudstack/api/ApiCommandJobType.java | 4 +- .../org/apache/cloudstack/api/ApiConstants.java | 18 +++++ .../src/com/cloud/template/TemplateManager.java | 3 + server/src/com/cloud/acl/DomainChecker.java | 6 ++ server/src/com/cloud/api/ApiServer.java | 3 +- server/src/com/cloud/api/ApiServerService.java | 2 + server/src/com/cloud/user/AccountManager.java | 4 ++ server/src/com/cloud/user/DomainManager.java | 3 + utils/src/com/cloud/utils/db/EntityManager.java | 6 ++ 14 files changed, 181 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/com/cloud/event/EventTypes.java ---------------------------------------------------------------------- diff --git a/api/src/com/cloud/event/EventTypes.java b/api/src/com/cloud/event/EventTypes.java index 7dd8772..ec54ea1 100755 --- a/api/src/com/cloud/event/EventTypes.java +++ b/api/src/com/cloud/event/EventTypes.java @@ -455,6 +455,19 @@ public class EventTypes { public static final String EVENT_UCS_ASSOCIATED_PROFILE = "UCS.ASSOCIATEPROFILE"; + // IAM events + public static final String EVENT_IAM_POLICY_CREATE = "IAMPOLICY.CREATE"; + public static final String EVENT_IAM_POLICY_DELETE = "IAMPOLICY.DELETE"; + public static final String EVENT_IAM_POLICY_GRANT = "IAMPOLICY.GRANT"; + public static final String EVENT_IAM_POLICY_REVOKE = "IAMPOLICY.REVOKE"; + + public static final String EVENT_IAM_GROUP_UPDATE = "IAMGROUP.UPDATE"; + public static final String EVENT_IAM_GROUP_CREATE = "IAMGROUP.CREATE"; + public static final String EVENT_IAM_GROUP_DELETE = "IAMGROUP.DELETE"; + public static final String EVENT_IAM_GROUP_GRANT = "IAMGROUP.GRANT"; + public static final String EVENT_IAM_GROUP_REVOKE = "IAMGROUP.REVOKE"; + public static final String EVENT_IAM_ACCOUNT_POLICY_UPDATE = "IAMACCOUNTPOLICY.UPDATE"; + // Object store migration public static final String EVENT_MIGRATE_PREPARE_SECONDARY_STORAGE = "MIGRATE.PREPARE.SS"; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/acl/PermissionScope.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/acl/PermissionScope.java b/api/src/org/apache/cloudstack/acl/PermissionScope.java new file mode 100644 index 0000000..03dbc10 --- /dev/null +++ b/api/src/org/apache/cloudstack/acl/PermissionScope.java @@ -0,0 +1,25 @@ +package org.apache.cloudstack.acl; + +public enum PermissionScope { + RESOURCE(0), + ACCOUNT(1), + DOMAIN(2), + REGION(3), ALL(4); + + private int _scale; + + private PermissionScope(int scale) { + _scale = scale; + } + + public int getScale() { + return _scale; + } + + public boolean greaterThan(PermissionScope s) { + if (_scale > s.getScale()) + return true; + else + return false; + } +} http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/acl/QuerySelector.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/acl/QuerySelector.java b/api/src/org/apache/cloudstack/acl/QuerySelector.java new file mode 100644 index 0000000..b89aa4e --- /dev/null +++ b/api/src/org/apache/cloudstack/acl/QuerySelector.java @@ -0,0 +1,72 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl; + +import java.util.List; + +import com.cloud.user.Account; +import com.cloud.utils.component.Adapter; + +/** + * QueryChecker returns granted access at domain, account or resource level. + */ +public interface QuerySelector extends Adapter { + + /** + * List granted domains for the caller, given a specific action. + * + * @param caller account to check against. + * @param action action + * @return list of domain Ids granted to the caller account. + */ + List<Long> getAuthorizedDomains(Account caller, String action); + + /** + * List granted accounts for the caller, given a specific action. + * + * @param caller account to check against. + * @param action action. + * @return list of domain Ids granted to the caller account. + */ + List<Long> getAuthorizedAccounts(Account caller, String action); + + + /** + * List granted resources for the caller, given a specific action. + * + * @param caller account to check against. + * @param action action. + * @return list of domain Ids granted to the caller account. + */ + List<Long> getAuthorizedResources(Account caller, String action); + + /** + * Check if this account is associated with a policy with scope of ALL + * @param caller account to check + * @param action action. + * @return true if this account is attached with a policy for the given action of ALL scope. + */ + boolean isGrantedAll(Account caller, String action); + + /** + * List of ACL group the given account belongs to + * @param accountId account id. + * @return ACL group names + */ + List<String> listAclGroupsByAccount(long accountId); + +} http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/acl/SecurityChecker.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/acl/SecurityChecker.java b/api/src/org/apache/cloudstack/acl/SecurityChecker.java index ab3f7c5..aab88fe 100644 --- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java +++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java @@ -31,7 +31,7 @@ import com.cloud.utils.component.Adapter; public interface SecurityChecker extends Adapter { public enum AccessType { - ListEntry, ModifyEntry, ModifyProject, UseNetwork + ListEntry, ModifyEntry, ModifyProject, UseNetwork, OperateEntry, UseEntry } /** @@ -76,6 +76,26 @@ public interface SecurityChecker extends Adapter { boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException; /** + * Checks if the account can access the object. + * + * @param caller + * account to check against. + * @param entity + * object that the account is trying to access. + * @param accessType + * TODO + * @param action + * name of the API + * @return true if access allowed. false if this adapter cannot provide + * permission. + * @throws PermissionDeniedException + * if this adapter is suppose to authenticate ownership and the + * check failed. + */ + boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) throws PermissionDeniedException; + + + /** * Checks if the user belongs to an account that can access the object. * * @param user http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/api/APICommand.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/APICommand.java b/api/src/org/apache/cloudstack/api/APICommand.java index f0b46a4..6211afc 100644 --- a/api/src/org/apache/cloudstack/api/APICommand.java +++ b/api/src/org/apache/cloudstack/api/APICommand.java @@ -22,6 +22,7 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; +import org.apache.cloudstack.acl.IAMEntityType; import org.apache.cloudstack.acl.RoleType; @Retention(RetentionPolicy.RUNTIME) @@ -44,4 +45,6 @@ public @interface APICommand { boolean responseHasSensitiveInfo() default true; RoleType[] authorized() default {}; + + IAMEntityType[] entityType() default {}; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/api/ApiCommandJobType.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/ApiCommandJobType.java b/api/src/org/apache/cloudstack/api/ApiCommandJobType.java index 3067af8..f27f001 100644 --- a/api/src/org/apache/cloudstack/api/ApiCommandJobType.java +++ b/api/src/org/apache/cloudstack/api/ApiCommandJobType.java @@ -49,5 +49,7 @@ public enum ApiCommandJobType { LoadBalancerRule, AffinityGroup, InternalLbVm, - DedicatedGuestVlanRange + DedicatedGuestVlanRange, + IAMPolicy, + IAMGroup } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/api/ApiConstants.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java index 7b7f9ca..14df653 100755 --- a/api/src/org/apache/cloudstack/api/ApiConstants.java +++ b/api/src/org/apache/cloudstack/api/ApiConstants.java @@ -544,6 +544,24 @@ public class ApiConstants { public static final String ROUTING = "isrouting"; public static final String MAX_CONNECTIONS = "maxconnections"; public static final String SERVICE_STATE = "servicestate"; + + public static final String IAM_ACCOUNT_IDS = "accountids"; + public static final String IAM_MEMBER_ACCOUNTS = "memberaccounts"; + public static final String IAM_PARENT_POLICY_ID = "parentpolicyid"; + public static final String IAM_PARENT_POLICY_NAME = "parentpolicyname"; + public static final String IAM_POLICY_IDS = "policyids"; + public static final String IAM_POLICIES = "policies"; + public static final String IAM_APIS = "apis"; + public static final String IAM_GROUPS = "groups"; + public static final String IAM_PERMISSIONS = "permission"; + public static final String IAM_ACTION = "action"; + public static final String IAM_SCOPE = "scope"; + public static final String IAM_SCOPE_ID = "scopeid"; + public static final String IAM_ALLOW_DENY = "permission"; + public static final String ENTITY_TYPE = "entitytype"; + public static final String ENTITY_ID = "entityid"; + public static final String ACCESS_TYPE = "accesstype"; + public static final String RESOURCE_DETAILS = "resourcedetails"; public static final String EXPUNGE = "expunge"; public static final String FOR_DISPLAY = "fordisplay"; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/engine/components-api/src/com/cloud/template/TemplateManager.java ---------------------------------------------------------------------- diff --git a/engine/components-api/src/com/cloud/template/TemplateManager.java b/engine/components-api/src/com/cloud/template/TemplateManager.java index 0557a29..5987ac0 100755 --- a/engine/components-api/src/com/cloud/template/TemplateManager.java +++ b/engine/components-api/src/com/cloud/template/TemplateManager.java @@ -122,4 +122,7 @@ public interface TemplateManager { */ void prepareIsoForVmProfile(VirtualMachineProfile profile); + public static final String MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT = "Message.RegisterPublicTemplate.Event"; + public static final String MESSAGE_RESET_TEMPLATE_PERMISSION_EVENT = "Message.ResetTemplatePermission.Event"; + } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/server/src/com/cloud/acl/DomainChecker.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java index 31b273f..f8acceb 100755 --- a/server/src/com/cloud/acl/DomainChecker.java +++ b/server/src/com/cloud/acl/DomainChecker.java @@ -319,4 +319,10 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { } return false; } + + @Override + public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) + throws PermissionDeniedException { + return checkAccess(caller, entity, accessType); + } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/server/src/com/cloud/api/ApiServer.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java index 3df599e..05fe6e8 100755 --- a/server/src/com/cloud/api/ApiServer.java +++ b/server/src/com/cloud/api/ApiServer.java @@ -891,7 +891,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer } } - private Class<?> getCmdClass(String cmdName) { + @Override + public Class<?> getCmdClass(String cmdName) { return s_apiNameCmdClassMap.get(cmdName); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/server/src/com/cloud/api/ApiServerService.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/ApiServerService.java b/server/src/com/cloud/api/ApiServerService.java index 8e078c6..bf0ba23 100644 --- a/server/src/com/cloud/api/ApiServerService.java +++ b/server/src/com/cloud/api/ApiServerService.java @@ -41,4 +41,6 @@ public interface ApiServerService { public String getSerializedApiError(ServerApiException ex, Map<String, Object[]> apiCommandParams, String responseType); public String handleRequest(Map params, String responseType, StringBuffer auditTrailSb) throws ServerApiException; + + public Class<?> getCmdClass(String cmdName); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/server/src/com/cloud/user/AccountManager.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManager.java b/server/src/com/cloud/user/AccountManager.java index 1f191fc..983caf1 100755 --- a/server/src/com/cloud/user/AccountManager.java +++ b/server/src/com/cloud/user/AccountManager.java @@ -188,4 +188,8 @@ public interface AccountManager extends AccountService { * @return account object */ Account lockAccount(String accountName, Long domainId, Long accountId); + + public static final String MESSAGE_ADD_ACCOUNT_EVENT = "Message.AddAccount.Event"; + + public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = "Message.RemoveAccount.Event"; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/server/src/com/cloud/user/DomainManager.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/DomainManager.java b/server/src/com/cloud/user/DomainManager.java index 41d9d34..f72b18a 100644 --- a/server/src/com/cloud/user/DomainManager.java +++ b/server/src/com/cloud/user/DomainManager.java @@ -47,4 +47,7 @@ public interface DomainManager extends DomainService { * @return Domain object if the command succeeded */ Domain updateDomain(UpdateDomainCmd cmd); + + public static final String MESSAGE_ADD_DOMAIN_EVENT = "Message.AddDomain.Event"; + public static final String MESSAGE_REMOVE_DOMAIN_EVENT = "Message.RemoveDomain.Event"; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/utils/src/com/cloud/utils/db/EntityManager.java ---------------------------------------------------------------------- diff --git a/utils/src/com/cloud/utils/db/EntityManager.java b/utils/src/com/cloud/utils/db/EntityManager.java index 7612a75..8f4e385 100644 --- a/utils/src/com/cloud/utils/db/EntityManager.java +++ b/utils/src/com/cloud/utils/db/EntityManager.java @@ -75,4 +75,10 @@ public interface EntityManager { public <T, K extends Serializable> void remove(Class<T> entityType, K id); public <T, K extends Serializable> T findByIdIncludingRemoved(Class<T> entityType, K id); + + public static final String MESSAGE_REMOVE_ENTITY_EVENT = "Message.RemoveEntity.Event"; + + public static final String MESSAGE_GRANT_ENTITY_EVENT = "Message.GrantEntity.Event"; + public static final String MESSAGE_REVOKE_ENTITY_EVENT = "Message.RevokeEntity.Event"; + public static final String MESSAGE_ADD_DOMAIN_WIDE_ENTITY_EVENT = "Message.AddDomainWideEntity.Event"; }
